January 13, 2020

Summary

A team of security researchers disclosed several software analysis methods that, when used for malicious purposes, have the potential to improperly gather sensitive data from many types of computing devices with many different vendors’ processors and operating systems.

Systems with microprocessors utilizing speculative execution and indirect branch prediction may allow unauthorized disclosure of information to an attacker with local user access via a side-channel analysis. [1]

The good news is that patches are out for almost everything. [2]

Microsoft has released several updates to help mitigate these vulnerabilities. They have also taken action to secure their cloud services. [5]

AWS has all but a small single-digit percentage of instances across the Amazon EC2 fleet already protected. The remaining ones will be completed in the next several hours, with associated instance maintenance notifications. [3]

Spectre, in particular, can't be completely mitigated by patching as it seems it will require a hardware fix. The good news is that Spectre is harder to exploit. No known exploitation for this is occurring in the wild, but that will change. The SANS Internet storm center will be updated as the situation warrants. [2]

Impact

Firefox's initial testing has shown it is possible to trigger these flaws remotely via web content, so devices that browse the web or execute external content are particularly vulnerable. [6]

Google Chrome is also affected, and according to Google, Chrome will receive a fix in Chrome 64 which will be released on January 23rd. Chrome also provides options for users to enable that will help reduce the effectiveness of these attacks:[6]

Cloud providers without real hardware virtualization, relying on containers that share one kernel, such as Docker, LXC, or OpenVZ are affected.

The bad news is, the fixes can slow down your devices with some initial (disputed) reporting of an up to 30% performance hit to the CPU.[2]

Vulnerable

This affects many modern processors, including certain processors by Intel, AMD and ARM. So far, there are three known variants of the issue:[7]

Variant 1: bounds check bypass (CVE-2017-5753)

Variant 2: branch target injection (CVE-2017-5715)

Variant 3: rogue data cache load (CVE-2017-5754)

Recommendations

Campus IT providers are working with ISP and vendors to evaluate and apply the appropriate patches and mitigations. As this affects almost all systems, the deployment timeline will vary. [9]

ISP is recommending any un-managed devices by EEI/CCS-IT will need to apply patches on their own. Admins of self-managed servers should also apply the necessary patches keeping in mind there is a performance hit.

ISP will provide updates as more information becomes available. Please keep in mind that there are no known exploits in the wild using these vulnerabilities yet and that they are a bit more difficult to successfully leverage. This should give admins extra time to get the patches out. As always patching is critical and necessary. At some point in the future, these vulnerabilities will be weaponized and most likely be included in turnkey exploitation tools such as Metasploit and the like.